cute robot

TimNash.co.uk

Dev/Sec/Ops with a splattering of humour

Bye Bye KeePass, hello Bitwarden

It is no secret I am a proponent of password managers. As someone who openly admits not remembering my other halves birthday (even though its the same day as my fathers) the idea of remembering potentially hundreds of passphrases is just not going to happen.

Instead, I use unique passphrases for some accounts, and for everything else, I use a password manager. My password manager of choice for many many years has been KeePass.

KeePass is great

I will be honest I didn’t go with KeePass because it’s a totally open platform, built on Open Source.

I didn’t go with it because it has a flexible model, allowing its database to simply be stored on anything that can store files.

Or because of its wide range of clients.

When I started using KeePass it was free, it still is, but while I have gained all the benefits that come from KeePass my original choice (many years ago) was purely based on price.

There wasn’t anywhere near the choice when I first started using KeePass and I didn’t like the business models and had serious concerns about how data was being stored in the early days of password managers. So KeePass won. It did have a few negatives.

The choice of clients was limited (and numerous, with many half, finished, but few usable clients) and each client had a totally different UX which was utterly frustrating. It was flaky, or rather my implementation was flaky and I often found myself having to tweak settings, or just abandon storage providers. I probably lost in man-hours almost as it would have cost to use a commercial provider over the years.

Move on a few years, well its exactly the same, only now with the added fun that there are several different protocols and combinations making the KeePass world even more fragmented. It’s still a great solution but one fraught with grumbles.

The next issue is entirely my own, but I have reluctantly been managing an owncloud install locally originally with huge intentions of managing documents and such other stuff. These days KeePass was the only thing actually using it. So I wanted to close down what felt like a ridiculous overhead, which meant either move my KeePass database to something sensible or you know abandon a platform I have used for years and years on a whim because something else came along.

Yeah I obviously chose the later

Introducing BitWarden

So Bitwarden is a password manager in a similar vein to other password managers out there. What makes it unusual is it’s open source like KeePass though there is a hosted solution (with a free tier) making this exceptionally easy to get started.

The power though for me is that I can use the official clients, for both Android, Chrome, Linux and MacOS with my own Bitwarden server which manages my vault. Rather than using the default vault setup and account system Bitwarden offers.

Bitwarden uses a client-server model for syncing passwords, as opposed to KeePass every client sharing the database file. So in some ways, this has much more overhead as you need to manage the server, though in my case by removing the owncloud infrastructure I have reduced overhead making this simpler and more in keeping with my current tooling.

The official apps and server setup has gone through an independent security audit, every password manager has had and no doubt will have issues but its nice to see the commercial side of Bitwarden being used in part to fund such activities as it gives a level of confidence that well they care. Speaking of they, while an Open Source project it is very much focused around a small team (like of 1) for the official clients and server this is a slight concern however there is enough of a community that should issue arrive I’m confident that folks would step up to maintain it.

The bigger issue, the server environment if you want to run your own vault is .net and SQL server and while they provide a docker image this is a bit of a show stopper as really a completely different technology stack to what I’m happy managing. Which feels like I would be right back where I started.

Thankfully Bitwarden is open source and has a well-documented API meaning there are numerous alternative vault servers in a variety of languages. They haven’t gone through independent security audits and perhaps even more then the official server is one person bands.

My choice of server is bitwarden_rs by Daniel García, it’s fast, well documented and written in a language that not only do I understand but have an active interest and develop in. Meaning I can read the code and understand what it does and potentially even fix issues if they arise.

So building it is just run the docker image…
Except I don’t use the “official” unofficial servers docker image, and instead, build the binary and run it alongside the official node based Webvault myself I mean how hard can it be, to get a Rust binary deployed…

Getting it all running

By far the simplest way to get up and running and testing is to download the Docker image and run it.

Which of course is totally not the way I ended up running it, so I compiled it from source, downloading the project files, which assumes you are going to then run it in Docker.

I initially tripped up by the presences of rust-toolchain file which kept trying to set Rust environment to a version that wasn’t on the machine and caused a fair amount of head scratching it wouldn’t be quite so bad except I had, come across the same issue a few weeks previously for a different project.

Once built the second part is to build the web vault which is the standard Bitwarden Web Vault with a patch. This web vault is built using NodeJS and has all the typical million and one dependencies you would expect.

Couple of things worth noting about installing Web Vault, clone and do all the setup stages, and then copy the build folder contents to target/release/web-vault.

Once done you are free to start ./bitwarden_rs and then you can access the vault on 127.0.0.1:8000

It’s about this point, you switch from doing this locally on your mac, to throwing it on a VM on your network.

Configuration is done using a .env

On production I setup:

cat bitwarden_rs.env
## Bitwarden_RS Configuration File

## Main data folder
 DATA_FOLDER=/var/lib/bitwarden_rs/data

## Web vault settings
 WEB_VAULT_FOLDER=/var/lib/bitwarden_rs/web-vault/

##Extended Logging
 EXTENDED_LOGGING=true

## Logging to file
 LOG_FILE=/var/log/bitwarden_rs

## Log level
 LOG_LEVEL=Info

## Disable 2FA remember
## Enabling this would force the users to use a second factor to login every time.
## Note that the checkbox would still be present, but ignored.
# DISABLE_2FA_REMEMBER=false

## Controls if new users can register
 SIGNUPS_ALLOWED=false

## Invitations org admins to invite users, even when signups are disabled
 INVITATIONS_ALLOWED=true

## Whether password hint should be sent into the error response when the client request it
 SHOW_PASSWORD_HINT=false

## Domain settings
 DOMAIN=https://pm.domain.net:443 #my domain

## Rocket specific settings, check Rocket documentation to learn more
 ROCKET_ADDRESS=0.0.0.0 # containers IP
 ROCKET_PORT=443
 ROCKET_TLS={certs="/etc/bitwarden_rs/certs/cert.pem",key="/etc/bitwarden_rs/certs/key.pem"}

Beyond that, it’s just a case of setting up a SystemD unit and then setting up IPTables to limit access to the container only to devices inside my network. To get Bitwarden running on my phone, I use OpeVPN for Android, and have it set to always run when using the Bitwarden app, its a bit slow at times but works quite well.

So what I have is a password manager, with support for my u2f keys, sitting on my internal network

If that sounded like a lot of work, then A) you can use the existing docker images and B) there is a web based service provided by Bitwarden themselves.

The final gotcha…

So I have everything set up or so I think, I go into the clients and where is the ability to tell it to use my vault?

I search and search. I google and it turns out I suck at Googling.

Then I found the important step, I’m going to assume like me you downloaded the clients, signed into them (using Bitwarden Hosted service to have a play) yep, me too. Log out, then click the settings cog, and put in the URL for yourself hosted version.


Yeah I felt dumb.

So do I recommend Bitwarden?

Maybe.

If you currently use KeePass or indeed any other password service and are happy with it, no don’t move there is nothing revolutionary here. Certainly perhaps not worth the ordeal of migration.

If you are currently using a hosted password service (LastPass, OnePassword etc) and are thinking you want complete control and have been pondering using KeePass then I would encourage you to take a look at Bitwarden. The infrastructure requirements might put you off, KeePass in many ways is simpler if done right however overall if you want to manage passwords yourself I think Bitwarden does win, especially Bitwarden_rs.

If you are thinking about using a Password manager and are not technical then either look at the hosted solution or consider going with OnePassword or another hosted solution.

If you are not using a password manager, and are not a super genius who can remember thousands of long strings in their heads, consider a password manager. In fact, don’t consider start using one.